The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established to secure credit card data. At this time, PCI DSS is in its third revision with the latest version 3.2 published in 2016. All organizations that are required to be PCI compliant will need to meet all updated requirements in v3.2. The specific multi-factor authentication (MFA) requirements in PCI v3.2 will go into enforcement starting Feb 1, 2018.
In v3.2, PCI DSS put a greater emphasis on the use of multi-factor authentication as a security control to tackle data breaches due to stolen credentials. For example, in previous revisions, MFA was a required control for admin console access only into the cardholder environment (CDE).
In its latest revision, PCI extends MFA as a required control for all remote access (console and non-console) into the cardholder environment. Remote access application examples include virtual private network (VPN), virtual desktop infrastructure (VDI), remote desktop (RDP), Secure Shell (SSH) etc. In addition, PCI also published several supporting documents to help organizations deploy MFA in a compliant manner.
Organizations that need to meet PCI requirements can refer to official documents; however, official requirements can be nuanced and open to interpretation. At Duo, several of our customers asked us for clarifications regarding PCI requirements. In order to address their concerns, Duo engaged with Payments Security Compliance (PSC) part of NCC group to write a white paper that describes how MFA requirements can be implemented in a compliant manner.
PSC helps thousands of organizations, guiding them through PCI compliance requirements. The white paper is written by Paul Guthrie, who has deep experience in the PCI domain. Paul has over 20 years of payments and security expertise, and is a practicing Qualified Security Assessor (QSA) with over 200 Level 1 assessments completed.
PSC evaluated Duo against the existing PCI requirements in v3.2 and found Duo is able to meet all of its MFA requirements. In addition, this white paper also describes best practices and scenarios to implement MFA in your PCI environment to both meet compliance and ensure remote access to your network is secured. If you want to get access to the white paper, please get in touch with your account executive.